14:5 (TESTING TECHNIQUES FOR COMMON SECURITY CONTROLS (conducted by IS…
TESTING TECHNIQUES FOR COMMON SECURITY CONTROLS
(conducted by IS Auditor)
Terminal Cards and Keys
take a sample of these cards or keys and
attempt to gain access beyond that which is authorized
want to know if the security administrator followed up on any unsuccessful attempted violations.
work with the
network manager to get a listing of terminal addresses and locations
list can then be used to inventory the terminals,
looking for incorrectly logged, missing or additional terminals.
sample of terminals to ensure that they are identified in the network diagram
Logon IDs and Passwords
going through the office wastebasket looking for confidential information and passwords.
test confidentiality, the IS auditor could attempt to guess the password of a sample of employees’ logon IDs
done discreetly to avoid upsetting employees
tour end-user and programmer work areas looking for passwords taped to the side of terminals or the inside of desk drawers
Another way to test password strength is to analyze global configuration settings
for password strength in the system application
and compare this with the organization’s security policy
IS auditor should work with the security administrator
to attempt to view the internal password table.
individual can obtain the encryption program, they can encrypt common passwords and look for matches.
test access authorization
IS auditor should
review a sample of access authorization documents
to determine if proper authority has been provided
match the sample of these rules to authorizing documents. If no
written authorization is found
indicates a breakdown in control
computer-generated report of computer access rules,
take a sample to determine if the access is on a need-to-know basis,
granted on a need-to-know basis.
Account settings for minimizing unauthorized access should be available from most access control software or from the OS.
IS auditor can perform the following
test periodic change requirements,
interview a sample of users to determine if they are forced to change their password after the prescribed time interval
test for disabling or deleting of inactive logon IDs and passwords,
computer-generated list of active logon IDs
match this list to current employees, looking for logon IDs assigned to employees or consultants who are no longer with the company.
the IS auditor should attempt to create passwords in a format that is invalid
test for automatic logoff of unattended terminals, the IS auditor should log on to a number of terminals. Sim
ply wait to get it logged of automatically
automatic deactivation of terminals after unsuccessful access attempts,
purposefully entering the wrong password
a number of times
method of reactivation : simple telephone call to the security administrator with no verification of identification results in reactivation, then this function is not controlled properly.
masking of passwords on terminals
, the IS auditor
should log on to a terminal and observe if the password is displayed when entered.
Controls Over Production Resources
Computer access controls should extend beyond application data and transactions
numerous high-level utilities, macro or job control libraries, control libraries, and system software parameters for which access control should be particularly strong
IS auditor should work with
system software analyst & operations
if access is on a need-to-know basis for all sensitive
who can access these resources and what can be done with
Logging and Reporting of Computer Access Violations
attempt to access computer transactions or data for which access is not authorized. Should be identified in report as "Unsuccessful"
test should be coordinated with the data owner and security administrator to avoid violation of security regulations
Follow-up Access Violations
test the effectiveness and timeliness of the security administrator and data owner’s responses to reported violation attempts,
IS auditor should
select a sample of security reports and look for evidence of follow-up and investigation of access violations.
Bypassing Security and Compensating Controls
IS auditor should work with the system software analyst, network manager, operations manager and security administrator to determine ways to bypass security.
system software feature permits the user to perform complex system maintenance, which may be tailored to a specific environment or company.
special system maintenance logon IDs
These logon IDs often are provided by vendors. The names can be determined easily because they are the same for all similar computer systems (i.e., system).
Passwords should be changed immediately upon installation to secure the systems.
input/output (I/O) devices.
bypass label processing
bypasses the computer reading of the file label. Because most access control rules are based on file names
who can access, whether access is need to know basis
IS auditor should also ensure that:
• All uses of
these features are logged, reported and investigated
by the security administrator or system software manager
Unnecessary bypass security features are deactivated
• If possible, the
bypass security features are subject to additional LOGICAL ACCESS CONTROLS
Review Access Controls and Password Administration
• Procedures exist for
adding individuals to the list of those authorized to have access to computer resources,
changing their access capabilities
deleting them from the list.
• Procedures exist to
ensure that individual passwords are not inadvertently disclosed.
• Passwords issued are of an
cannot be easily guessed and do not contain repeating characters.
• Passwords are
• User organizations
periodically validate the access capabilities currently
provided to individuals in their department.
• Procedures provide for the
suspension of user identification codes
(logon IDs or accounts) or the disabling of terminal, microcomputer or
data entry device activity—after a particular number of security procedure violations